Large amount of free eBooks from Microsoft available now!

With one long and huge URL. Aren’t you glad you don’t have to type it!

https://blogs.msdn.microsoft.com/mssmallbiz/2017/07/11/largest-free-microsoft-ebook-giveaway-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepo/

 

Upgrading to Windows 10 Creator Update? My thoughts

So this past weekend I upgraded Windows 10 from v1607 to v1703.

Everything was straight forward. Within 30 minutes I was at v1703. Nothing looked odd or anything. So far so good. [Yes, just 30 minutes. I have a Core i7 with a SSD but the system itself is 3.5 years old.]

That wouldn’t last.

Unsure why Microsoft does this. Why can’t they leave our settings alone. For example:

  • I like my Caps Lock disabled. It’s back to enabled. [Note that this isn’t surprising. A while ago with Windows 7 installed, I couldn’t install a security update until I enabled the Caps Lock!]
  • I added some settings to enable the command prompt and an elevated command prompt if I right click on a folder. Those disappeared.
  • Setting in File Explorer such as Details Pane was disabled.
  • I had to disable again a bunch of telemetry settings that I enabled.
  • Audio dropped from 5.1 to 2.1.
  • Internet Explorer history is gone.
  • There is a “fix” in v1607 that enabled the “classic” User Access Control you saw in Windows 7. Now the fix does nothing. It’s gone.

There always seems to be stuff like this. Why can’t Microsoft just leave it, if it has been set.

 

Heads up! Out-of-band Security Update for Outlook coming today

Microsoft is expected to release an out-of-band security update for all supported versions of Outlook [the application].

The update is to corrected various issues.

It should be available around 1 pm Eastern time.

[Update: 2017/07/19] The update is delayed – not a good sign. It will now be release during the week of July 24th.

How to disable SMB v1

If you have been reading about WannaCry and Petya, most of the systems could have been protected two ways.

First is to make sure systems were up to date on security updates and other patching.

Second would be to disable SMB v1.

[A third way would be up to date anti-virus/security software but for those in the initial batches that were hit, this probably wouldn’t have been available.]

Server Message Block [SMB] is the file protocol that is most commonly used by Windows operating systems. It is an old protocol, over 10 years old. Communications is digitally signed, which enables the recipient of the packets to confirm their point of origination and their authenticity.

Note: Test before applying changes. You still may have some lesser known applications that still need SMB v1.

This link details how to disable SMB v1 for stand-alone computers as well as those on a domain for various operating systems.

If you are using a stand-alone computer [not on a domain], the registry “fix” below will disable SMB v1 and will take effect after rebooting:

Windows Registry Editor Version 5.00

; Disables SMB v1

; To enable, set to 1 or delete entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]

“SMB1″=dword:00000000

With the release of Windows 10 Fall Creator Update [a.k.a. v1709] and the server equivalent, SMB v1 will be disabled by default when you buy a new system or do a clean/fresh installation [i.e. not an upgrade].

Microsoft has a web page that lists Microsoft and third-party products that require SMB v1 and links with further information.

Note: A reminder that if you modify the registry, back up the registry before proceeding.

WannaCry’s little sister is spreading

WannaCry’s little sister Petya is making its rounds as we speak in Europe. It is shutting down computers at corporations, power companies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe. The developers are demanding $300 in bitcoins. Already an estimate 300,000 computers have been infected in just 3 days.

Petya uses the same vulnerable SMBv1 exploit used in WannaCry.

Petry doesn’t encrypt files but instead encrypts the hard disks’ master file table and replaces the master boot record [MBR] with its own code displaying the ransom note at boot up, leaving the computer unable to boot into Windows.

Aside from keeping your computer up to date follow KB2696547 to disable SMBv1. SMBv1 may be required, though, with older software.

Of course if you were smart enough to avoid WannaCry which included updated OS patches [or you had to rebuild your computer if infected with WannaCry], you shouldn’t be too concerned with this. On the other hand, those running Windows XP and Windows Server 2003 should be. They were for the most part spared WannaCry’s wrath because of faulty code by the developer. I would guess they learned from it.

[Update: 2017/06/27] If it is the same Trojan, it actually has been around for 15 months according to Symantec and McAfee using the “EternalBlue” exploit [MS17-07]. But Kaspersky says it isn’t the same and is calling the malware NotPetya.

Some sites claim the malware will only go after the MBR if it has administrator rights on the computer. If not, it will just try to encrypt individual files like WannaCry.

[Update: 2017/06/28] Researchers say if you create a file [doesn’t have to be empty] called “Perfc”, place it in C:\Windows and mark the file as read only, it could protect your computer from getting Petya. Seems the ransomware loader looks for this file. If exists, it skips doing anything.

If you start your computer or it reboots and it starts to run a “Chkdsk”, it is fake. It is doing the encryption. If you see this, turn off your computer immediately. You can’t boot off the computer but you could boot off an offline virus scanner to clean the computer and/or access your files and move them off the computer.

[Update: 2017/06/29] Because things are a bit sloppy, the developers of Petya didn’t really intend on make money according to security experts. In addition, some believe after a hard disk is encrypted it can’t be decrypted.

In addition, some are calling it “NotPetya” [mentioned before] and even “GoldenEye” because it differs too much from the original Petya released 15 months ago.

While other areas of the world were “casualties”, some are saying their intent was to disrupt Ukraine – which would mean the developers are most likely Russian.

[Update: 2017/06/30] Posteo, the email provider hosting the account where the Petya ransomware author was receiving messages shut down the account, preventing victims from contacting the author to make payments and possibly recover their encrypted data. Even then, just an estimated $10,000 US was collected.

 

Kaspersky versus Microsoft on security

Kaspersky Lab complained recently that Microsoft uses “underhand tactics” to remove third-party antivirus where in June took its complaints over Windows 10’s handling of third-party antivirus to the European Commission and the German Federal Cartel Office.

One of the key complaints is that Windows 10 uninstalls Kaspersky antivirus without the consent of users and enables the built-in Windows Defender, which could happen during major Windows updates if a third-party security product is incompatible with the latest version of Windows.

Microsoft replied that with the Windows 10 Creators Update, the customer will be advised to install a new version of their security application right after the update completed. To do this, the software upgrade first temporarily disabled some parts of the security software when the update began. Microsoft claims they worked with anti-virus partners. Maybe Kaspersky wasn’t included.

Kaspersky founder Eugene Kaspersky has accused Microsoft of using shady methods to “fiercely promote its own inferior” product, Windows Defender, over third-party antivirus already installed on Windows 10 PCs. Microsoft claims its Windows Defender is a strong security product. {Security testers say not really.]

Kaspersky also complained that security vendors have little time to make their product compatible, compared with previous versions of Windows [since Windows 10 gets upgraded every 6 months]. ESET is cited with similar compatibility problems with the Windows 10 Anniversary Update.

But with the number of security vendors, two [the known vendors that have complained] is very small. In addition, there is a few weeks before the “RTM” and the actual release date. How come others security vendors aren’t having compatibility problems? Not McAfee, not Symantec, not Avast, not AVG, …. [As far as I know.]

If an security subscription expires, only then will Windows Defender begin providing protection.

Kaspersky complained that Windows users don’t need to pay for third-party antivirus because of Windows Defender. As well, they claim that Microsoft’s tech support staff have advised users to uninstall Kaspersky.

You can put a big chunk of the blame on Kaspersky themselves. Has any other security vendor complained? So why just them? Maybe Kaspersky has a grudge going on with Microsoft.

Does Kaspersky bother to tell those with Kaspersky software installed that if they have a valid subscription they can upgrade to the latest version? I guess not. This alone makes their clients less secure.

The only alternative is for Microsoft to have a pop-up window with something like:
“Your crappy security software is unsupported. Please upgrade to the latest version. Alternatively, with your approval, Windows 10 will be upgraded and your crappy security software will be removed and replaced by Windows Defender. You can then upgrade your crappy security software following the upgrade.”

In a virtual machine of mine, my Panda Free-AV was upgraded for me automatically yesterday. Shouldn’t be too hard for Kaspersky to do this.

Someone I know has a 3 years subscription to Kaspersky Total Security. Something went wonky and the computer wouldn’t update anymore. Chatted online and was told it would be escalated. Didn’t hear from them and they closed the incident after a week. Contacted them again and was told an email was sent out with a new activation code. Never got it. It was resent. Damn thing expires in 3 months when the old key had 16 months left. Really crappy support.

 

Changes to Windows Server 2016 updates

Microsoft made some changes …. again…. When it comes to updates. With Windows Server 2016, initially there would only be one major release per year [compared to Windows 10 which gets major updates every 6 months]. Last week, Microsoft changed this. From now on [until the next change!], Microsoft will release major server updates the same time as major Windows 10 updates [March and September].

Unlike Windows 10 [well officially], you will have the option to not upgrade once between each major update [i.e. go from v1703 to v1803 and ignore v1709]. Server releases will be supported for 18 months. The Semi-annual Channel [as they call it] will be available to volume-licensed customers with Software Assurance, as well as via the Azure Marketplace or other cloud/hosting service providers and loyalty programs such as MSDN.

This duplicates the updating of Windows 10 as well as Office.